Is it possible to make part of a site on IIS only viewable from localhost?

Question

We\'ve got a webserver running IIS. We\'d like to run maybe a shared blog or something to keep track of information. Because of security issues, we\'d like for that part to

Answer 1

Should anyone wish to do this on the command line, this appears to work on IIS 7+

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/security/ipSecurity /+"[ipAddress='0',allowed='False']" /commit:apphost
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/security/ipSecurity /+"[ipAddress='127.0.0.1',allowed='True']" /commit:apphost

Reference

I initially wanted to do this in web.config to ease distribution, and it looked like the following might work:

<security>
    <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
        <clear/> <!-- removes all upstream restrictions -->
        <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
    </ipSecurity>
</security>

but as you need to unlock the function in the central IIS config anyway there was no advantage over making the change directly using the first commands.

Answer 2

I agree with the recommendations to use IIS "Directory Security" to block all IP address except 127.0.0.1 (localhost).

That said, I'm wondering how this strategy of requiring users to remote in could possibly be more secure. Wouldn't it be more secure (as well as much simpler) to use standard IIS authentication mechanisms rather than have to manage Windows roles and permissions on the server machine?

Answer 3

Depending on exactly what you want to happen if an unauthorized user tries to visit it.

You could try to setup the specific section as a virtual directory, then deny view to anonymous users. However, they will be prompted for login, and if they can login then they could see it.

Answer 4

You can also use bindings instead of IP restrictions. If you edit the bindings for the web site you want to restrict access to, you can select which IP address the site is available at. If you set the IP address to 127.0.0.1, then the site is only responding on this IP address, and this IP address will of course only work locally on the machine.

I've tested this using IIS 8.5.